Currently, computers are subject to malware attacks and considerable effort is expended in trying to prevent these attacks or to address them once they occur. One particular type of virus is known as the zero-day virus. A zero-day virus is a previously-unknown computer virus for which specific antivirus software signatures are not yet available. Because a signature is not yet available, the virus cannot be detected by software using virus patterns. Normally, antivirus software that relies upon signatures to identify malware can be effective, but cannot defend against malware unless samples have been obtained and updates distributed to users. Therefore, signature-based approaches are not effective against zero-day viruses.
Similarly, a zero-day (or zero-hour or day-zero) attack is malware that exploits computer application vulnerabilities that are unknown to the software developer. Zero-day attacks are used by attackers before the software developer knows about the vulnerability.
Techniques exist to limit the effectiveness of zero-day attacks. For example, the Microsoft operating system includes limited protection against generic memory corruption vulnerabilities. Another example is “multiple layers” that provides service-agnostic protection. Access control lists are implemented in the service itself, restricting network access via local server firewalls, and then protecting the entire network with a hardware firewall. The disadvantage is that network access can be restricted and an extra hardware device needed. The use of “port knocking” or single packet authorization daemons may provide effective protection against zero-day attacks in network services. These techniques, however, are not suitable for environments with a large number of users.
The use of white lists can protect against zero day attacks. White lists will only allow known good applications to access a system and so any unknown applications are not allowed access. Although the use of white lists can be effective against zero-day attacks, an application “known” to be good can in fact have vulnerabilities that were missed in testing. To increase protection, the use of white lists is often combined with the use of a blacklist of virus definitions, but this can be quite restrictive to the user.
Another method to avoid zero-day attacks from a user perspective is to wait for a lengthy period of time before upgrading to a new version of software. The idea is that later software revisions will fix software vulnerabilities. While this method avoids zero-day attacks that are discovered before the next software release, security holes in any software can be discovered at any time. Also, the user must forgo the new version of software for a period of time.
Given the importance of early threat detection without the use of pattern files, and the various drawbacks of prior art approaches, and improved technique is desired to detect zero-day malicious activities on enterprise host computers.